JP6773116B2 - Communication method - Google Patents

Description

The present disclosure relates to a communication system, a subscriber information management device, an information acquisition method, and a program, for example, a communication system that executes security processing, a subscriber information management device, an information acquisition method, and a program.

In recent years, studies on IoT (Internet of Things) services have been underway. For the IoT service, many terminals (hereinafter referred to as IoT terminals) that autonomously execute communication without requiring user operation are used. Therefore, in order for a service provider to provide an IoT service using many IoT terminals, it is desired to efficiently accommodate many IoT terminals in a network managed by a telecommunications carrier or the like.

Non-Patent Document 1 describes the configuration of a core network to which network slicing is applied in Annex B. Network slicing is a technology for dividing a core network for each service to be provided in order to efficiently accommodate many IoT terminals. In addition, Section 5.1 states that each divided network (network slice system) needs to be customized and optimized.

On the other hand, Section 6.2 of Non-Patent Document 2 describes the structure of the key used in the security processing of EPS (Evolved Packet System). Specifically, USIM (Universal Subscriber Identity Module) and AuC (Authentication Center) have a master key K. USIM and AuC use the master key K to generate CK (Confidentiality Key) and IK (Integrity Key).

Next, the UE (User Equipment) and the HSS (Home Subscriber Server) generate a key K _ASME using CK, IK, and SSID (Serving Network Identity). The SNID is an ID that identifies a telecommunications carrier. Next, the UE and the MME (Mobility Management Entity) use the key _KASME to generate a key used for security processing of the core network and the radio access network.

In EPS, security processing such as message encryption and message tampering prevention (message integrity guarantee) is executed using the key generated in this way.

3GPP TR23.799 V0.2.0 (2016-2) Annex B, 5.1 Key issue 1: Support of network slicing 3GPP TS 33.401 V13.2.0 (2016-03) 6.2 EPS key hierarchy

When the network slicing disclosed in Non-Patent Document 1 is applied, it is assumed that different keys are used for each network slicing system in order to increase the independence of each network slicing system and improve security. .. However, the key configuration disclosed in Non-Patent Document 2 indicates that the UE uses one key _KASME in the core network. Therefore, even if the key configuration disclosed in Non-Patent Document 2 is used for the core network to which network slicing is applied, it is not possible to generate a different key for each network slice system. Therefore, there is a problem that the independence of each network slicing system cannot be improved and the security cannot be improved.

An object of the present disclosure is a communication system, a subscriber information management device, and information acquisition that can maintain a high security level in each divided network (network slice system) when network slicing is applied to a core network. It is to provide methods and programs.

The communication system according to the first aspect of the present disclosure is used in a subscriber information management device that manages subscriber information of a communication terminal, the communication terminal, and at least one network slice system in which the communication terminal can be used. The subscriber information management device includes a security device that manages the security information in association with the security information, and the subscriber information management device uses the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal from the security device. It acquires security information used in the network slice system used by the communication terminal.

The subscriber information management device according to the second aspect of the present disclosure communicates with a communication terminal and a security device that manages the security information used in at least one network slice system available to the communication terminal in association with each other. The communication unit includes a communication unit and a management unit that manages identification information of the network slice system associated with the security device. The communication unit includes identification information of the communication terminal and a network slice system used by the communication terminal. The identification information is used to acquire the security information used in the network slice system used by the communication terminal from the security device.

The information acquisition method according to the third aspect of the present disclosure includes a security device that manages a communication terminal and security information used in at least one network slice system that can be used by the communication terminal in association with each other, and the security device. The network slice system used by the communication terminal from the security device by managing the identification information of the network slice system associated with the security device and using the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal. This is to acquire the security information used in.

The program according to the fourth aspect of the present disclosure associates a security device that manages the communication terminal and security information used in at least one network slice system that can be used by the communication terminal with the security device. The identification information of the network slice system is managed, and the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal are used in the network slice system used by the communication terminal from the security device. It causes the computer to acquire the security information to be obtained.

According to the present disclosure, when network slicing is applied to a core network, a communication system, a subscriber information management device, an information acquisition method, which can maintain a high security level in each divided network (network slice system), And the program can be provided.

It is a block diagram of the communication system which concerns on Embodiment 1. FIG. It is a block diagram of the communication system which concerns on Embodiment 2. FIG. It is a block diagram of AuC which concerns on Embodiment 2. FIG. It is a figure which shows the information managed by AuC which concerns on Embodiment 2. FIG. It is a block diagram of HSS which concerns on Embodiment 2. FIG. It is a figure which shows the information managed by HSS which concerns on Embodiment 2. FIG. It is a block diagram of the UE which concerns on Embodiment 2. FIG. It is a figure which shows the flow of the Attach process which concerns on Embodiment 2. It is a figure which shows the flow of AKA processing which concerns on Embodiment 2. It is a figure explaining the derivation of the service key in AuC which concerns on Embodiment 2. FIG. It is a figure explaining the derivation of the service key in the UE which concerns on Embodiment 2. FIG. It is a figure which shows the information managed by AuC which concerns on Embodiment 2. FIG. It is a block diagram of the communication system which concerns on Embodiment 3. FIG. It is a block diagram of the UE which concerns on each embodiment. It is a block diagram of AuC and HSS which concerns on each embodiment.

(Embodiment 1)
Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. The communication system of FIG. 1 has a subscriber information management device 10 and a security device 20. The subscriber information management device 10 and the security device 20 may be computer devices that are operated by the processor executing a program stored in the memory.

The subscriber information management device 10 manages the subscriber information of at least one communication terminal. The communication terminal may be, for example, a mobile phone terminal, a smartphone terminal, a computer device having a communication function, or the like. The communication terminal may be an IoT terminal, an M2M (Machine to Machine) terminal, an MTC (Machine Type Communication) terminal, or the like.

The subscriber information may be, for example, contract information about a user who uses the communication terminal, location information of the communication terminal, information for identifying the communication terminal, or the like.

The security device 20 manages the information for identifying the communication terminal (identification information of the communication terminal) in association with the security information used in at least one network slice system that can be used by the communication terminal. Security information is information unique to each network slice system. The security information may be key information used when authenticating a communication terminal. The security information may be key information or the like used when executing data encryption or integrity guarantee processing. The security information may be a master key used to generate key information used for authentication, encryption, or the like. The security information may be a security algorithm or the like used when executing security processing.

The subscriber information management device 10 acquires the security information used in the network slice system used by the communication terminal from the security device 20 by using the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal. ..

As described above, by using the communication system of FIG. 1, the subscriber information management device 10 can acquire the security information used in the network slice system used by the communication terminal. Therefore, the subscriber information management device 10 can use different security information for each network slice system used by the communication terminal. As a result, the independence of the network slice system can be increased and the security of the entire core network can be improved.

(Embodiment 2)
A configuration example of the communication system according to the second embodiment of the present disclosure will be described with reference to FIG. The communication system of FIG. 2 has a core network 100, a 5G RAN (Radio Access Network) 80, and a UE (User Equipment) 90. The core network 100 may be, for example, a network defined in 3GPP (3rd Generation Partnership Project).

UE is used as a general term for communication terminals in 3GPP. Although only one UE 90 is shown in FIG. 2, the communication system of FIG. 2 may include a plurality of UE 90s.

The 5G RAN 80 is a network that provides a wireless line to the UE 90. The 5G RAN 80 may have, for example, a base station, and may further have a base station control device for controlling the base station and the like. The 5G RAN 80 is a next-generation RAN that realizes, for example, low delay and wide band radio frequency. The RAN used for the next generation is called 5G RAN, but the name of the RAN used for the next generation is not limited to 5G RAN.

A configuration example of the core network 100 will be described. The core network 100 includes HSS (Home Subscriber Server) 30, AuC (Authentication Center) 40, AuC50, AuC60, CPF (Control Plane Function) entity 70 (hereinafter referred to as CPF70), NS (Nework Slice) system 110, and NS system. It has 120 and an NS system 130. Each AuC may be in the same device as the HSS 30, and some functions of the AuC may be implemented in the HSS 30. Also, each AuC may fit within each NS system.

The HSS 30 corresponds to the subscriber information management device 10 of FIG. The HSS 30 manages subscriber information about the UE 90. Further, the HSS 30 may be replaced with an HLR (Home Location Register). The HSS 30 has a key management function. Further, the HSS 30 transmits the key information to each NS system. The key management function is a function for managing which node device or which NS system the key information about the UE is transmitted to. Further, the key management function is a function of managing the type of key information transmitted to the node device or the NS system. Further, the HSS 30 has some functions of the key management function, and other functions may be provided by a device different from the HSS 30. Alternatively, a device different from the HSS 30 may have all the functions related to the key management function.

Each of AuC40, AuC50, and AuC60 (hereinafter referred to as AuC40, etc.) corresponds to the security device 20 of FIG. AuC40 and the like manage key information used for security processing related to UE 90. Further, AuC40 and the like manage parameters related to security processing related to the UE 90. The parameters related to the security process may be, for example, parameters used in the integrity assurance process, the confidentiality process, and the encryption process of NAS (Non Access Stratum). NAS is a layer used for communication between the UE 90 and the like and the core network 100. The parameters related to the security process may be parameters used for the integrity assurance process, the confidentiality process, and the encryption process of AS (Access Stratum). The AS is a layer used for communication between the 5G RAN80 and the UE 90.

The parameter related to security processing may be a parameter that defines the key length. The key length is indicated by, for example, the number of bits. The parameter related to the security process may be a parameter indicating an encryption algorithm, a key generation algorithm, an authentication algorithm, or the like.

The CPF 70 is a device that processes C-Plane data related to the UE 90 in the core network 100. The C-Plane data may be referred to as control data. The CPF 70 may be referred to as a control device because it is a device that processes control data. Further, the CPF 70 may have a function corresponding to the MME (Mobility Management Entity) defined in 3GPP.

The NS system 110 is a communication system used to provide services different from those of the NS system 120 and the NS system 130. Further, the NS system 120 is a communication system used to provide a service different from that of the NS system 130. The service provided by each NS system may be, for example, an automatic driving service, a service related to a smart meter, a vending machine management service, or the like. The services provided by the NS system are not limited to these services, and there are various services.

In FIG. 2, it is shown that the CPF 70 is located in the core network 100 and does not belong to any of the NS system 110, the NS system 120, and the NS system 130. However, the CPF 70 may belong to any of the NS system 110, the NS system 120, and the NS system 130, or the NS system 110, the NS system 120, and the NS system 130 may each have a CPF 70. Good.

Subsequently, a configuration example of AuC40 according to the second embodiment of the present disclosure will be described with reference to FIG. AuC50 and AuC60 have the same configuration as AuC40. The AuC40 has a communication unit 41, a security information management unit 42, and an NS key generation unit 43. The communication unit 41 may be a transmitter unit (transmitter) and a receiver unit (receiver).

The communication unit 41, the security information management unit 42, and the NS key generation unit 43 may be software or modules whose processing is executed by the processor executing a program stored in the memory. The communication unit 41, the security information management unit 42, and the NS key generation unit 43 may be hardware such as a circuit or a chip.

The communication unit 41 mainly transmits data to and from the HSS 30.

The security information management unit 42 manages the security information associated with each UE 90. Here, the information managed by the security information management unit 42 will be described with reference to FIG. The security information management unit 42 manages the IMSI (International Mobile Subscriber Identity) in association with the NSID (Network Slice Identity) and the master key K. The IMSI is identification information used to identify the UE 90. The NSID is identification information used to identify the NS system.

FIG. 4 shows that a UE with an IMSI of 001 can utilize the NS system 110 and the NS system 120. Further, FIG. 4 shows that the UE having the IMSI of 001 is assigned the master key Ka_001 used for the security processing in the NS system 110 and the master key Kb_001 used for the security processing in the NS system 120. Is shown. For the UE whose IMSI is 002, the available NS system and the master key K used for security processing in the NS system are associated with each other.

FIG. 4 shows that the security information management unit 42 manages the master keys related to a plurality of NS systems, but the security information management unit 42 may manage only the master keys related to one NS system. For example, AuC40 may be used as a device for managing the master key K for the NS system 110. In this case, the security information management unit 42 may manage the IMSI and the master key K in association with each other without managing the information related to the NSID.

Returning to FIG. 3, the NS key generation unit 43 uses the master key K to generate the service key Ksv used in each NS system. For example, the NS key generation unit 43 uses the master key Ka_001 to generate the service key Ksv-A used in the NS system 110 by the UE having the IMSI of 001. Further, the NS key generation unit 43 uses the master key Kb_001 to generate the service key Ksv-B used in the NS system 120 by the UE having the IMSI of 001. Similarly, the service key Ksv is generated for the UE having the IMSI of 002.

A configuration example of the HSS 30 according to the second embodiment of the present disclosure will be described with reference to FIG. The HSS 30 has a communication unit 31 and an information management unit 32. The communication unit 31 and the information management unit 32 may be software or modules whose processing is executed by the processor executing a program stored in the memory. Alternatively, the communication unit 31 and the information management unit 32 may be hardware such as a circuit or a chip. The communication unit 31 may be a transmitter unit (transmitter) and a receiver unit (receiver).

The communication unit 31 transmits data to and from AuC40, AuC50, and AuC60. Further, the communication unit 31 transmits data between the node device constituting the NS system 110, the node device constituting the NS system 120, and the node device constituting the NS system 130.

The information management unit 32 manages information associated with the AuC40 or the like and the NS system. Here, the information managed by the information management unit 32 will be described with reference to FIG. FIG. 6 shows that the AuC40 is associated with the NS systems 110-10 to the NS system 130, and that the AuC50 is further associated with the NS systems 140 to 160. The AuC40 and the NS system 110 to the NS system 130 are associated with each other because the AuC40 manages the master key K used for security processing in the NS system 110 to the NS system 130 for each UE.

A configuration example of the UE 90 according to the second embodiment of the present disclosure will be described with reference to FIG. 7. The UE 90 has a communication unit 91 and an NS key generation unit 92. The communication unit 91 and the NS key generation unit 92 may be software or modules whose processing is executed by the processor executing a program stored in the memory. Alternatively, the communication unit 91 and the NS key generation unit 92 may be hardware such as a circuit or a chip. The communication unit 91 may be a transmitter unit (transmitter) and a receiver unit (receiver).

The communication unit 91 mainly transmits data to and from a base station or the like constituting the 5G RAN 80.

The NS key generation unit 92 uses the master key K to generate the service key Ksv used in each NS system. For example, it is assumed that the NS key generation unit 92 can use the NS system 110 and the NS system 120. In this case, the NS key generation unit 92 uses the master key Ka_001 to generate the service key Ksv-A used in the NS system 110, and uses the master key Kb_001 to generate the service key Ksv-B used in the NS system 120. To do.

For example, the communication unit 91 may have a plurality of SIMs and manage different master keys K for each SIM. Further, each SIM may be associated with any NS system.

The flow of Attach processing relating to the UE 90 according to the second embodiment of the present disclosure will be described with reference to FIG.

First, the UE 90 starts a connection process with the 5G RAN 80 (S11). For example, the UE 90 connects to the base station via a wireless communication line in order to communicate with the base station arranged in the 5G RAN 80.

Next, the UE 90 transmits an Attach request message to the CPF 70 via the 5G RAN 80 (S12). The UE 90 uses, for example, the service provided by the NS system 110. In this case, the UE 90 transmits an Attach request message in which the IMSI of the UE 90 and the NSID indicating the NS system 110 are set to the CPF 70. The UE 90 may set a plurality of NSIDs.

Next, the AKA (Authentication and Key Agreement) process is executed between the UE 90, the CPF 70, the HSS 30 and the Au C40 (S13). By executing the AKA process in step S13, it can be confirmed in the UE 90 and the HSS 30 that the service key Ksv-A generated in the UE 90 and the service key Ksv-A generated in the Au C40 match. When the UE 90 sets a plurality of NSIDs in the Attach request message, a service key Ksv is generated for each NS system. In this case, in the AKA process in step S13, it is confirmed whether the service key Ksv generated for each NS system in the UE 90 matches the service key Ksv generated for each NS system in the AuC40. The service key Ksv may be authenticated by executing a process other than AKA between the UE 90, CPF 70, HSS 30, and AuC 40.

After the AKA process in step S13 is executed, the UE 90 can use the service provided in the NS system 110 by using the service key Ksv-A. For example, when the UE 90 accesses the device of the NS system 110, the UE 90 may transmit the password information or the like input from the user who operates the UE 90 to the device of the NS system 110. The device included in the NS system 110 may provide a service to the UE 90 when the validity of the transmitted password can be confirmed.

Alternatively, the device included in the NS system 110 may hold the service key Ksv-A related to the UE 90 in advance. For example, the device included in the NS system 110 may acquire the service key Ksv-A from HSS30 or AuC40. The device of the NS system 110 executes AKA processing and provides a service to the UE 90 when the service key Ksv-A held by the own device and the service key Ksv-A held by the UE 90 match. You may.

In FIG. 8, in step S12, it is shown that the UE 90 transmits an Attach request message in which the IMSI of the UE 90 and the NSID indicating the NS system 110 are set to the CPF 70. On the other hand, when there is only one NS system that can be used by the UE 90 and the NS system that can be used by the UE 90 is managed as subscriber information in the HSS 30, the UE 90 is attached with only the IMSI set. A request message may be sent to the CPF 70. When there are a plurality of NS systems that can be used by the UE 90, the UE 90 sends an Attach request message that sets the identification information of the IMSI and the NS system to be used to the CPF 70.

The details of the AKA process in step S13 of FIG. 8 will be described with reference to FIG. First, the CPF 70 sends an Authentication data request message to the HSS 30 (S21). The Authentication data request message includes the IMSI (International Mobile Subscriber Identity) of the UE 90 and the NS ID indicating the NS system that the UE 90 wants to use. The NSID is, for example, identification information indicating the NS system 110.

Next, the HSS 30 sends an Auth data create request message to the AuC40 (S22). The Auth data create request message includes the IMSI of the UE 90 and the NSID indicating the NS system that the UE 90 wants to use. In FIG. 9, the NSID is assumed to be identification information indicating the NS system 110. The HSS 30 can identify the AuC associated with the NSID specified by the UE 90 using the information shown in FIG. Here, the HSS 30 has received an NSID indicating the NS system 110. Therefore, the HSS 30 can identify the destination of the Auth data create request message as AuC40 by using the information shown in FIG. If the UE 90 does not specify an NSID, the HSS 30 identifies the AuC associated with a predetermined default NS system. The default NS system may be predetermined for each UE or may be defined according to the priority managed in the HSS 30. The priority may be set for each UE.

It is assumed that there is only one NS system that can be used by the UE 90, and that the HSS 30 manages information that associates the IMSI of the UE 90 with the NS system that can be used by the UE 90 as subscriber information. In this case, the HSS 30 can use the IMSI transmitted from the CPF 70 to identify the NS system available to the UE 90. The HSS 30 may manage a plurality of NSIDs to which the UE 90 can be connected as subscriber data. In this case, the HSS 30 may repeatedly send an Auth data create request message to AuC40 or the like corresponding to all NSIDs indicated by the subscriber data.

Next, AuC40 derives the service key Ksv-A using KDF (Key Derivation Function) (S23). Here, with reference to FIG. 10, the derivation process of the service key Ksv using KDF in the NS key generation unit 43 of AuC40 will be described.

In FIG. 10, as a result of inputting the master key K, NSID, RAND (Random number), and SQN (Sequence Number) into the KDF, the XRES (Expected Response), AUTON (Authentication token), and service key Ksv are obtained. Indicates that it will be output. For KDF, for example, a derivation function such as HMAC-SHA-256 is used. Here, the master key K input to the KDF is the service key Ka associated with the NS system 110. Further, the service key Ksv output from the KDF is the service key Ksv-A used in the NS system 110.

Returning to FIG. 9, AuC40 sends an Auth data create response message to HSS30 (S24). The Auth data create response message includes RAND, XRES, Ksv-A, Ksv-A_ID, and AUTN. The RAND included in the Authentication data response message is the same as the RAND used as an input parameter when generating Ksv-A or the like in step S23. XRES, Ksv-A, and AUTON are the same as XRES, Ksv-A, and AUTON generated in step S23. Ksv-A_ID is identification information that identifies Ksv-A. When the HSS30 repeatedly sends Auth data create request messages to multiple AuCs, it confirms that the corresponding Auth data create response messages are returned from all AuCs, and then it is included in each Auth data create response message. RAND, XRES, Ksv-A, Ksv-A_ID, and AUTON are set in the Authentication data response message for each corresponding NSID.

Next, the HSS 30 transmits an Authentication data response message to the CPF 70 (S25). The Authentication data response message includes RAND, XRES, Ksv-A, Ksv-A_ID, and AUTN included in the Auth data create response message transmitted in step S24. RAND, XRES, Ksv-A, Ksv-A_ID, and AUTN may be set for each NSID.

Next, the CPF 70 transmits an Authentication request message to the UE 90 via the 5G RAN 42 (S26). The Authentication request message includes RAND, AUTON, and Ksv-A_ID. The RAND, AUTN, and Ksv-A_ID are the RAND, AUTN, and Ksv-A_ID received from the HSS 30 in step S25. When the UE 90 sets a plurality of NSIDs in the Attach request message (S12), RAND, AUTN, and Ksv-A_ID for each NSID are set.

Next, the UE 90 derives the service key Ksv-A using the KDF (S27). Here, with reference to FIG. 11, the service key Ksv derivation process using the KDF in the NS key generation unit 92 of the UE 90 will be described.

FIG. 11 shows that the RES (Response), SQN, and service key Ksv are output as a result of inputting the master key K, NSID, RAND, and AUTON into the KDF. For KDF, for example, a derivation function such as HMAC-SHA-256 is used. Here, it is assumed that the service key Ka associated with the NS system 110 is used as the master key K input to the KDF. Further, the service key Ksv output from the KDF is the service key Ksv-A used in the NS system 110. Here, it is assumed that the UE 90 has a predetermined NS system that can be accessed, and holds the NSID of the NS system in advance.

Returning to FIG. 9, the UE 90 transmits an Authentication response message to the CPF 70 via the 5G RAN 80 (S28). The Authentication response message includes RES. The RES included in the Authentication response message is the same as the RES generated in step S27. When a plurality of NSIDs are set in the Authentication request message (S26), the RES for each NSID is set.

Next, the CPF 70 compares the XRES included in the Authentication data response message received in step S25 with the RES included in the Authentication response message received in step S28 (S29). In step S29, when RES and XRES match, CPF70 can determine that Ksv-A generated in AuC40 and Ksv-A generated in UE90 match. When a plurality of NSIDs are handled, the CPF 70 performs a comparison between RES and XRES for each NSID. When the RES and the XRES match, the CPF 70 notifies the HSS 30 that the RES and the XRES match, or that the authentication for Ksv-A is successful. Further, the HSS 30 transmits Ksv-A_ID and Ksv-A to the NS system 110.

Next, a case where the AKA process related to the UE 90 causes an error will be described. For example, if the AuC40 uses the NSID set in the Auth data create request as the response message to the Auth data create request message when the UE 90 is not available, the AuC40 contains an Auth data create error including the cause value "No subscription to Network slice". Send a message to HSS30. Further, the HSS 30 sends an Authentication data reject message including the cause value "No subscription to Network slice" to the CPF 70. Further, the CPF 70 sends an Authentication failure message including the cause value "Access to Network slice not allowed" to the UE 90. In this case, the UE 90 remembers that the NSID set in the Attach request message (S12) is not provided in the operator network. Further, in this case, the UE 90 may set another NSID and perform the ATTACH procedure toward the same operator network.

If the authentication in step S29 fails, the CPF 70 sends an Authentication failure message including the cause value "Network Slice Authentication failed" to the UE 90. In this case, the UE 90 remembers that the NSID set in the Attach request message (S12) is not provided in the operator network. Further, in this case, the UE 90 may set another NSID and perform the ATTACH procedure toward the same operator network.

In addition, the operation when the authentication for only some NSIDs is successful for the authentication performed for a plurality of NSIDs will be described. In this case, the CPF 70 may consider that the authentication has failed, notify the UE 90 to that effect, and prompt the UE 90 to re-ATTACH, or allow the connection only to the authenticated NSID. The following is the operation in each case.

When it is considered that the authentication has failed and the UE 90 is notified to that effect and urged to re-ATTACH:
The CPF 70 sends an Authentication failure message including the cause value “Network Slice Authentication failed” to the UE 90. In this case, the CPF 70 may set an "Authentication status list" indicating the authentication result status of each NSID in the Authentication failure message. In this case, the UE 90 may set only the NSID whose authentication is partially successful and perform the ATTACH procedure toward the same operator network.

To allow connections only for authenticated NSIDs:
The CPF 70 may send an Authentication response message containing the cause value "Network Slice Authentication partially failed" to the UE 90 assuming that the authentication is partially successful. In this case, the CPF 70 may set an "Authentication status list" indicating the authentication result status of each NSID in the Authentication response message. In this case, the UE 90 recognizes that the authentication was successful only for the NSID that was partially successfully authenticated. In this case, the UE 90 may enjoy only the services provided by the Network Slice that has been partially authenticated.

Next, the operation when the UE 90 succeeds in authenticating the NSID set in the Attach request message (S12) will be described. The CPF 70 may notify the Network Slice system shown in FIG. 2 of the authenticated service key Ksv. Further, the Network Slice system may further generate a necessary service key by using the service key Ksv. Further, the Network Slice system shown in FIG. 2 may perform a further authentication operation in conjunction with the HSS 30.

Further, the HSS 30 may manage the IMSI of the UE 90 in association with the NSID that can be used by the UE 90. In this case, in step S21, the HSS 30 receives the Authentication data request message. If the UE 90 cannot use the NSID set in the Authentication data request message, the HSS 30 sends an error message as a response message to the Authentication data request message. The HSS 30 can request associated data from each AuC. Further, each AuC can transmit the updated data to the HSS 30 when the association data is updated. For example, each AuC may be managed in association with the IMSI, NSID, and access right, as shown in FIG. As shown in FIG. 12, the association data is, for example, data in which the IMSI, the NSID, and the access right are associated with each other. FIG. 12 shows that the UE with the IMSI 003 can access the NS system 110 but not the NS system 120 and the NS system 130. Further, a UE having an IMSI of 004 indicates that it can access the NS system 140 and the NS system 150, but not the NS system 160. When each AuC updates the data shown in FIG. 12, the updated data is transmitted to the HSS 30.

(Embodiment 3)
Subsequently, a configuration example of the communication system according to the third embodiment of the present disclosure will be described with reference to FIG. FIG. 13 shows that the UE 95 has moved from the HPLMN (Home Public Land Mobile Network) 101, which is a home network, to the VPLMN (Visited Public Land Mobile Network) 102. In other words, FIG. 13 shows that the UE 95 roamed from HPLMN 101 to VPLMN 102.

HPLMN101 has HSS35, AuC51, AuC52, CPF71, DEA (Diameter Edge Agent) 72, NS system 111, and NS system 112. The UE 95 communicates with the HPLMN 101 via the 5G RAN 81. In addition, VPLMN102 has HSS36, AuC61, AuC62, CPF73, DEA74, NS system 121, and NS system 122. The UE 95 communicates with the VPLMN 102 via the 5G RAN 82. DEA72 and DEA74 are devices that relay Diameter signals. The configurations other than DEA72 and DEA74 are the same as those of the communication network shown in FIG.

When the UE 95 moves from the HPLMN 101 to the VPLMN 102, the Attach process is executed in the VPLMN 102. In this case, the UE 95 connects to the CPF 73 via the 5G RAN 82 in the same manner as the Attach process described in steps S11 and S12 of FIG.

Next, as a result of inquiring to the HSS 36 in step S13 of FIG. 8, the CPF 73 determines that the UE 95 is a roaming terminal having the HPLMN 101 as a home network. Therefore, the CPF 73 connects to the CPF 71 via the DEA 74 and DEA 72. The UE 95 executes an AKA process with the CPF 71 via the CPF 73, DEA 74, and DEA 72. It is assumed that the UE 95 requests to use the service provided by the NS system 111 in the HPLMN 101, for example. In this case, the UE 95 may execute the AKA process with the CPF 71, and when the authentication is completed, may communicate with the NS system 111 via, for example, the NS system 121.

The VPLMN 102 may define the NS system 121 in advance as an NS system that can be used by roaming terminals. Alternatively, the NS system of the VPLMN 102 corresponding to the NS system 111 of the HPLMN 101 and the NS system of the VPLMN 102 corresponding to the NS system 112 of the HPLMN 101 may be predetermined. For example, the NS system 111 of the HPLMN 101 and the NS system 121 of the VPLMN 102 may be associated with each other, and the NS system 112 of the HPLMN 101 and the NS system 122 of the VPLMN 102 may be associated with each other.

As described above, the UE 95 can access the NS system in the HPLMN 101 via the VPLMN 102 even when roaming from the HPLMN 101 to the VPLMN 102.

Subsequently, the configuration examples of UE90, AuC40-60, and HSS30 described in the plurality of embodiments described above will be described below.

FIG. 14 is a block diagram showing a configuration example of UE90 and UE95. Radio Frequency (RF) transceiver 1101 performs analog RF signal processing to communicate with 5G RAN 80, 81 and 82. The analog RF signal processing performed by the RF transceiver 1101 includes frequency up-conversion, frequency down-conversion, and amplification. The RF transceiver 1101 is coupled with the antenna 1102 and the baseband processor 1103. That is, the RF transceiver 1101 receives the modulation symbol data (or OFDM symbol data) from the baseband processor 1103, generates a transmission RF signal, and supplies the transmission RF signal to the antenna 1102. Further, the RF transceiver 1101 generates a baseband reception signal based on the reception RF signal received by the antenna 1102, and supplies the baseband reception signal to the baseband processor 1103.

The baseband processor 1103 performs digital baseband signal processing (data plane processing) and control plane processing for wireless communication. Digital baseband signal processing includes (a) data compression / restoration, (b) data segmentation / concatenation, (c) transmission format (transmission frame) generation / decomposition, and (d) transmission line coding / decoding. , (E) Modulation (symbol mapping) / demodulation, and (f) Generation of OFDM symbol data (baseband OFDM signal) by Inverse Fast Fourier Transform (IFFT). Control plane processing, on the other hand, includes layer 1 (eg, transmit power control), layer 2 (eg, radio resource management, and hybrid automatic repeat request (HARQ) processing), and layer 3 (eg, attach, mobility, and call management). Includes communication management of).

For example, for LTE and LTE-Advanced, digital baseband signal processing by the baseband processor 1103 includes signal processing at the Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, MAC layer, and PHY layer. It may be. The control plane processing by the baseband processor 1103 may also include processing of the Non-Access Stratum (NAS) protocol, RRC protocol, and MAC CE.

The baseband processor 1103 includes a modem processor (eg, Digital Signal Processor (DSP)) that performs digital baseband signal processing, a protocol stack processor (eg, Central Processing Unit (CPU)) that performs control plane processing, or a Micro Processing Unit. (MPU)) may be included. In this case, the protocol stack processor that performs the control plane processing may be shared with the application processor 1104 described later.

The application processor 1104 is also referred to as a CPU, MPU, microprocessor, or processor core. The application processor 1104 may include a plurality of processors (a plurality of processor cores). The application processor 1104 is a system software program (Operating System (OS)) read from memory 1106 or a memory (not shown) and various application programs (eg, call application, web browser, mailer, camera operation application, music playback). By executing the application), various functions of the UE 90 and the UE 95 are realized.

In some implementations, the baseband processor 1103 and the application processor 1104 may be integrated on one chip, as shown by the broken line (1105) in FIG. In other words, the baseband processor 1103 and the application processor 1104 may be implemented as one System on Chip (SoC) device 1105. SoC devices are sometimes referred to as system large scale integrations (LSIs) or chipsets.

The memory 1106 is a volatile memory, a non-volatile memory, or a combination thereof. Memory 1106 may include a plurality of physically independent memory devices. Volatile memory is, for example, Static Random Access Memory (SRAM) or Dynamic RAM (DRAM), or a combination thereof. Non-volatile memory can be masked Read Only Memory (MROM), Electrically Erasable Programmable ROM (EEPROM), flash memory, or hard disk drive, or any combination thereof. For example, memory 1106 may include external memory devices accessible from baseband processor 1103, application processor 1104, and SoC 1105. The memory 1106 may include a built-in memory device integrated in the baseband processor 1103, in the application processor 1104, or in the SoC 1105. Further, the memory 1106 may include the memory in the Universal Integrated Circuit Card (UICC).

The memory 1106 may store a software module (computer program) including instructions and data for performing processing by the UE 90 and the UE 95 described in the plurality of embodiments described above. In some implementations, the baseband processor 1103 or application processor 1104 may be configured to read the software module from memory 1106 and execute it to perform the processing of UE 90 and UE 95 described in the above embodiments. Good.

FIG. 15 is a block diagram showing a configuration example of AuC40, AuC50, AuC51, AuC52, AuC60, AuC61, AuC62, HSS30, HSS35, and HSS36 (hereinafter referred to as AuC40 and the like). With reference to FIG. 15, AuC40 and the like include a network interface 1201, a processor 1202, and a memory 1203. Network interface 1201 is used to communicate with network nodes (e.g., eNodeB130, MME, P-GW,). The network interface 1201 may include, for example, an IEEE 802.3 series compliant network interface card (NIC).

The processor 1202 reads software (computer program) from the memory 1203 and executes it to perform processing such as AuC40 described using the sequence diagram and the flowchart in the above-described embodiment. Processor 1202 may be, for example, a microprocessor, MPU, or CPU. Processor 1202 may include a plurality of processors.

The memory 1203 is composed of a combination of a volatile memory and a non-volatile memory. Memory 1203 may include storage located away from processor 1202. In this case, processor 1202 may access memory 1203 via an I / O interface (not shown).

In the example of FIG. 15, memory 1203 is used to store software modules. The processor 1202 can perform processing such as AuC40 described in the above-described embodiment by reading these software module groups from the memory 1203 and executing them.

As described with reference to FIGS. 14 and 15, each of the processors included in the UE 90 and UE 95, AuC40, AuC50, AuC51, AuC52, 60, AuC61, AuC62, HSS30, HSS35, and HSS36 in the above embodiment Execute one or more programs including a set of instructions for causing a computer to perform the algorithm described with reference to the drawings. This program can be stored and supplied to a computer using various types of non-transitory computer readable media. Non-transitory computer-readable media include various types of tangible storage media. Examples of non-temporary computer-readable media are magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical disks), Compact Disc Read Only Memory (CD-ROM), CD- Includes R, CD-R / W, semiconductor memory (eg, mask ROM, Programmable ROM (PROM), Erasable PROM (EPROM), flash ROM, Random Access Memory (RAM)). The program may also be supplied to the computer by various types of transient computer readable media. Examples of temporary computer-readable media include electrical, optical, and electromagnetic waves. The temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.

The present disclosure is not limited to the above embodiment, and can be appropriately modified without departing from the spirit. Further, the present disclosure may be carried out by appropriately combining the respective embodiments.

Although the disclosure of the present application has been described above with reference to the embodiments, the disclosure of the present application is not limited to the above. Various changes that can be understood by those skilled in the art can be made to the structure and details of the disclosure of the present application within the scope of the disclosure.

This application claims priority on the basis of Japanese application Japanese Patent Application No. 2016-140760 filed on July 15, 2016 and incorporates all of its disclosures herein.

10 Subscriber information management device 20 Security device 30 HSS
31 Communication Department 32 Information Management Department 35 HSS
36 HSS
40 AuC
41 Communication Department 42 Security Information Management Department 43 NS Key Generation Department 50 AuC
51 AuC
52 AuC
60 AuC
61 AuC
62 AuC
70 CPF
71 CPF
72 DEA
73 CPF
74 DEA
80 5G RAN
81 5G RAN
825G RAN
90 UE
91 Communication unit 92 NS key generation unit 95 UE
100 core network 101 HPLMN
102 VPLMN
110 NS system 111 NS system 112 NS system 120 NS system 121 NS system 122 NS system 130 NS system

Claims (8)

A communication method for communication systems
The core network system receives a first message containing the identities of a plurality of network slice systems from a communication terminal, and receives a first message.
The core network system authenticates the communication terminal for each of the IDs of the plurality of network slice systems.
A communication method in which the core network system transmits a second message including whether or not the authentication is successful to the communication terminal. The communication method according to claim 1.
When the authentication fails, the core network system transmits a cause value related to the failure of the authentication to the communication terminal. The communication method according to claim 1.
The core network system includes a server device and
The server device has subscriber information regarding authentication for the plurality of network slice systems. A communication method for a core network system that includes multiple network slice systems that provide services to communication terminals.
Upon receiving the first message including the IDs (Identities) of the plurality of network slice systems from the communication terminal,
The communication terminal is authenticated for each of the IDs of the plurality of network slice systems.
A communication method for transmitting a second message including whether or not the authentication is successful to the communication terminal. The communication method according to claim 4.
When the authentication fails, the cause value related to the failure is transmitted to the communication terminal. The communication method according to claim 4.
The core network system includes a server device and
The server device has subscriber information regarding authentication for the plurality of network slice systems. A communication method used for communication terminals.
A first message containing the identities of multiple network slice systems is sent to the core network system and
A communication method for receiving a second message including whether or not the authentication is successful from the core network system that has authenticated for each of the IDs of the plurality of network slice systems. The communication method according to claim 7.
When the authentication fails, a cause value related to the authentication failure is received from the core network system.

Images